From #denial to #opportunity – The five #stage #cyber security #journey

The digital economy is brimming with commercial opportunity for those that embrace new technologies and innovative business models.

Regrettably, one sector which has been quick off the mark to grasp the opportunity is the criminal community.

Cybercrime is already more common than traditional criminal offences. The global outbreaks of WannaCry and Petya earlier this year showed the astonishing speed and scale at which even unsophisticated attacks can spread and underlined how ill-prepared even some big organisations are to protect themselves from criminal cyber activity.

Progress lies in accepting that cyber security is not a single destination but a complex journey. Broadly speaking, there are five stages along the way.

Stage One: Denial – ‘there is no threat’. The hard truth is that all organisations face low-level cyber threats every day, even if they don’t realise it. Criminals don’t only target big business but increasingly go after SMEs and individuals, soft targets that can provide a pathway into more valuable hunting ground.

Every business is a target and must put in place the basics – after all, standard software updates would have defeated WannaCry at first contact.

Stage Two: Worry – ‘let’s spend on the latest security systems and solutions’. The immediate reaction from the board is to throw money at the problem, along with the appointment of a Chief Information Security Officer (CISO).

However, technology isn’t necessarily the priority. Because the weakest link is often human, education is a priority. Once people understand how they fit into the big picture, they can protect themselves and the company, and become a major line of defence.

Stage three: False confidence – ‘we’re sorted, bring it on’ There is no 100 per cent protection against cybercrime. For example, criminals are now turning their attention to the supply chain, where contractors could unwittingly unlock access to their client organisations. Then there is ‘whaling’, a highly targeted form of phishing aimed at impersonating senior people and use their identity to undertake fraudulent financial transactions.

The way to combat false confidence is to relook at policies, question assumptions and investments, and identify emerging risks and issues. Consider all possible scenarios – ransomware (would you pay a ransom, and how?), data breaches, distributed denial of service attacks, sabotage and fraud. Now is the time to plan and prepare for incidents and practise your responses.

Stage Four: Hard lessons – ‘there’s no such thing as absolute security’. Even the best prepared and protected will still experience a security breach. Perhaps new security solutions are a poor fit with the existing IT infrastructure, leaving vulnerable gaps. On balance, it’s better to go with a security product that’s only 80 per cent right, but works with what you already have and employees can use easily.

This is a good point to consider cyber security insurance. The act of choosing/buying a policy will prompt you to think through potential weaknesses and, if the worst happens, you’ll have access to expert help and the resources you need to get the business back on track.

Stage Five: True leadership – ‘we can’t do this alone’. True leaders will accept that this is how the digital world is, and set out to share information and collaborate with their peers to make it ever harder for criminals to succeed.

The cold reality is that every organisation is a target. The best defence is not what you buy but how you behave. And businesses which treat cyber security not a destination but as a journey will be strongly positioned to protect themselves in the evolving digital economy.